By Eric Ooi, Director of Security and Research
In part one of this two-part series on trusting zero trust, we concluded that a robust monitoring program – as recommended by the Cybersecurity and Infrastructure Security Agency (CISA) – is a necessary foundation for learning to trust your zero trust architecture.
But, what does a “zero trust monitoring” program look like?
Verifying Controls, Detecting Threats, and Monitoring Assets
You may have implemented a secure access policy, but is it truly enforcing multi-factor authentication and blocking insecure protocols? Monitoring can reveal what controls aren’t functioning as intended and enable you to course correct. Monitoring can also identify threats that may not surface through traditional alerting, enabling investigations into suspicious or malicious activities. The collected data is useful for deep dives into security incidents, troubleshooting, and operational monitoring.
Another critical aspect of monitoring is asset prioritization. With a detailed and accurate asset inventory, you can assign criticality to each asset and more effectively prioritize your efforts based on budget and team size.
The Nuts and Bolts of Zero Trust Monitoring
Let’s outline a few high-level steps necessary for any effective zero trust monitoring program. Note that each of these steps and their related tasks could possibly become their own time-intensive projects depending on your organization’s size and available resources.
Asset Inventory
You can’t start monitoring if you don’t know what to monitor in the first place. Having an accurate asset inventory doesn’t just mean knowing what devices you have; it should also include:
- Having an up-to-date infrastructure diagram that details core components.
- Identifying both enterprise-owned and non-enterprise-owned (BYOD) devices.
- Knowing where your critical files (PII, customer data, intellectual property) are stored.
Logging
If you want to know how your zero trust architecture is performing, you’ll want logs that tell you what’s truly happening. You should collect logs from the following:
- Threats detected
- URLs visited
- Connection logs
- HTTPS decryption logs
- VPN logs
In our cloud-and-remote-first world, collecting firewall and network device logs may seem unnecessary. However, many employees continue to use a corporate VPN or proxy, meaning a significant amount of network traffic is still routed through corporate infrastructure and can be easily logged.
- Malware alerts
- File events
- Process events
- Network events
Endpoint protection, detection, and response platforms collect a wealth of information in addition to blocking malicious threats. EPP/EDR often provides the only visibility into a remote employee’s computing activities. File, process, and network events provide insight into possible malicious activity, regardless of the user’s location.
- Windows Event logs
- macOS Apple Unified logs
- Linux Auditd logs
Traditional operating system logs, when tuned and configured properly, can provide valuable insight into a system’s activities. This is especially helpful if you don’t already have an EPP/EDR platform but works even better as a complementary data source, enabling you to correlate and contextualize event data.
Many organizations don’t realize that cloud platforms, whether it’s Microsoft 365 or Amazon Web Services, generate detailed audit logs that can be used to effectively monitor and verify your zero trust controls.
SIEM
Once your logs are set up, the most efficient way to process this data is to send those logs to a security information and event management (SIEM) platform that can centralize the collection, correlation, and contextualization of all your disparate logs.
A SIEM helps you quickly identify and respond to suspicious behavior by providing a single system from which to run queries and monitor. With the amount of logging and telemetry generated even in small networks, SIEMs are increasingly essential for any robust zero trust monitoring program.
Threat Intelligence
Finally, you’ll want to enhance your monitoring capabilities with threat intelligence. You’ll likely have access to a general form of threat intelligence with your network and security infrastructure, including firewalls and endpoint protection platforms. As you mature your zero trust monitoring program, the goal is to use threat intelligence that is specific for your industry or, ideally, your organization.
Organizations of any size can benefit from data science and analytics tools that digest and investigate publicly available information and open-source intelligence. More sophisticated programs might set up a dedicated honeypot network masquerading as critical infrastructure to gather organization-specific intelligence.
Anytime you identify malicious or suspicious activity on your networks, the artifacts of the subsequent investigation, including IPs, hashes, URLs, and domains, are forms of threat intelligence. Feed these back into your SIEM to identify similar malicious activity in the future.
Starting From Zero
Implementing an effective zero trust monitoring program doesn’t have to break the bank. There are cost-effective solutions available for every aspect of a zero trust monitoring program. As you mature your program, you can scale up your monitoring as needed. It’s also important to staff a team with strong technical backgrounds and a solid understanding of your business and industry to get the most out of your platforms.
The ECS Difference
Building a zero trust monitoring program on your own can be overwhelming. That’s where ECS comes in. If you’re ready to start trusting zero trust, we will assess your organization’s zero trust architecture, identify gaps, and deliver solutions that close them.
